Intermediate

Give your containers time to clean up. Configure grace periods to ensure database connections close, transactions complete, and data saves properly. The problem By default, Docker gives containers 10 seconds to stop before forcefully killing them: services: app: image: myapp:latest # Container gets SIGTERM, then SIGKILL after 10s This can interrupt long-running operations and corrupt data. The solution Use stop_grace_period to extend shutdown time: services: worker: image: myworker:latest stop_grace_period: 2m # 2 minutes to finish current job stop_signal: SIGTERM # Signal to send first (default) Real-world examples Different services need different grace periods: ...

Stop copy-pasting the same configuration. YAML anchors let you define once and reuse everywhere in your Compose files. The basics Define an anchor with & and reference it with *: services: web: &default-app image: myapp:latest environment: NODE_ENV: production LOG_LEVEL: info networks: - app-network worker: <<: *default-app # Inherit all settings from web command: npm run worker The worker service inherits everything from web, then overrides the command. ...

Prevent containers from consuming all available resources. Set CPU and memory limits to ensure stable multi-service deployments. The basics Resource limits protect your system from runaway containers: services: api: image: node:20 deploy: resources: limits: cpus: '0.5' # Half a CPU core memory: 512M # 512 megabytes reservations: cpus: '0.25' # Minimum guaranteed memory: 256M The container can use up to 512MB memory and 50% of one CPU core. ...

Running containers as root is a security risk. Configure your services to use non-root users for defense in depth. The problem By default, many containers run as root: services: app: image: nginx # Runs as root user (uid 0) - security risk! If compromised, attackers have root privileges inside the container. The solution Set the user in compose.yml: services: app: image: node:20 user: "1000:1000" # Run as uid:gid 1000 working_dir: /app volumes: - ./app:/app Or use the image’s built-in user: ...

Need your frontend project to talk to a backend in another Compose project? External networks let you connect containers across different stacks. The problem Two separate Compose projects need to communicate: frontend/compose.yml - React app backend/compose.yml - API service By default, each creates its own isolated network. The solution Create a shared external network: # Create the network once docker network create shared-network Then reference it in both projects: backend/compose.yml: ...